An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Filing moderate bugs for Jaeger. Jaeger uses protobuf loading the unmarshal plugin, but only uses such for internal communications with no use of unsafe. Additionally the vulnerable skippy code is generated, for example: https://github.com/jaegertracing/jaeger/blob/27cb88fcb276de4bc2450137d17d999cbb802aea/proto-gen/api_v2/collector.pb.go#L394
Upstream kubernetes fix: https://github.com/kubernetes/kubernetes/pull/98477
@sfowler I don't think it's sufficiently clear from the filed BZs that the actual vulnerability is in generated code, not in directly linked code. I certainly missed this initially and was about to close our (Shift on Stack) bugs. My understanding of this issue is that if you unmarshal a type using vendored code which was generated by the vulnerable protobuf, then your application is potentially vulnerable to this issue. Given that this includes k8s.io/api et al, this will be almost everybody. My understanding is that the only fix to this is to revendor all affected modules with a version which has itself updated to *and regenerated with* the fixed gogo/protobuf. The fix to core kubernetes you linked above is presumably going to hold everybody up here. While this appears to be fixed on master, I couldn't see any evidence of a backport, yet. I think this in turn means this is currently unfixable. Assuming my understanding here is correct (a bold assumption, not to be made lightly), would it be helpful to: 1. Automatically add a comment to all dependent bugs clarifying this. 2. Re-open any bugs which have already been closed so they can be reassessed in this light. 3. Create bugs for dependent components for which we need backported fixes. 4. Automatically add these dependencies where relevant to all the created bugs. I'd also be interested in guidance as to whether, in general, we consider this a blocker for 4.7. It sounds to me like we should, but I wouldn't be surprised to hear there's pragmatic context.
@sfowler Rereading that comment (after submission, of course!) I think it misses the key point: Your application is not in the clear just because it doesn't link plugin/unmarshal/unmarshal.go. Your application is not in the clear if it vendors any of the listed modules which themselves generated code using plugin/unmarshal/unmarshal.go. Almost all applications will be affected by this, as it includes k8s.io/api et al.
A (hopefully final) thought: under what circumstances are messages marshalled and unmarshalled using protobuf? For example, do regular api calls use protobuf or are they using http/json?
@mbooth - I agree with your analysis. Applications are affected if they include code with the Unmarshal() function that was generated by vulnerable versions of gogo/protobuf, e.g. ``` /vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go: import ( ... proto "github.com/gogo/protobuf/proto" ... func (m *Status) Unmarshal(dAtA []byte) error ``` The upstream kube fix in master both bumps gogo/protobuf and re-generates the affected code. We can consume the same fix in our components to update our protobuf k8s.io code but I think we will need similar upstream fixes for openshift/api, go.etcd.io/etcd etc.
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 7 Via RHSA-2021:0607 https://access.redhat.com/errata/RHSA-2021:0607
Statement: OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat OpenShift Jaeger (RHOSJ) all include code generated by github.com/gogo/protobuf to parse protobuf messages. However, no component is known to accept protobuf messages from unauthenticated sources, hence this vulnerability is rated Moderate for OCP, OSSM and RHOSJ. OpenShift Virtualization includes code generated by github.com/gogo/protobuf to parse protobuf messages. However, no component of OpenShift Virtualization is known to accept protobuf messages from unauthenticated sources, hence this vulnerability is rated Moderate. Red Hat Advanced Cluster Management for Kubernetes (RHACM) includes code generated by github.com/gogo/protobuf to parse protobuf messages. However, no RHACM component is accepting protobuf messages from unauthenticated sources and are used with a limited scope, hence this vulnerability is rated Moderate for RHACM. Red Hat Cluster Application Migration (CAM) includes code generated by github.com/gogo/protobuf to parse protobuf messages. However, no CAM component is known to accept protobuf messages from unauthenticated sources, hence this vulnerability is rated Moderate for CAM.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3121
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5634 https://access.redhat.com/errata/RHSA-2020:5634
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5635 https://access.redhat.com/errata/RHSA-2020:5635
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 7 Via RHSA-2021:0719 https://access.redhat.com/errata/RHSA-2021:0719
This issue has been addressed in the following products: RHEL-8-CNV-2.6 Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1006 https://access.redhat.com/errata/RHSA-2021:1006
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1007 https://access.redhat.com/errata/RHSA-2021:1007
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1005 https://access.redhat.com/errata/RHSA-2021:1005
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1227 https://access.redhat.com/errata/RHSA-2021:1227
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1225 https://access.redhat.com/errata/RHSA-2021:1225
This bug will be shipped as part of next z-stream release 4.7.11 on May 19th, as 4.7.10 was dropped due to a blocker https://bugzilla.redhat.com/show_bug.cgi?id=1958518.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1552 https://access.redhat.com/errata/RHSA-2021:1552
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1563 https://access.redhat.com/errata/RHSA-2021:1563
This issue has been addressed in the following products: OpenShift Logging 5.0 Via RHSA-2021:2136 https://access.redhat.com/errata/RHSA-2021:2136
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:2121 https://access.redhat.com/errata/RHSA-2021:2121
This bug will be shipped as part of next z-stream release 4.7.15 on June 14th, as 4.7.14 was dropped due to a regression https://bugzilla.redhat.com/show_bug.cgi?id=1967614
This issue has been addressed in the following products: OpenShift Logging 5.0 Via RHSA-2021:2374 https://access.redhat.com/errata/RHSA-2021:2374
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:2286 https://access.redhat.com/errata/RHSA-2021:2286
This issue has been addressed in the following products: RHEL-8-CNV-4.8 Via RHSA-2021:2920 https://access.redhat.com/errata/RHSA-2021:2920
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2437 https://access.redhat.com/errata/RHSA-2021:2437
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:2977 https://access.redhat.com/errata/RHSA-2021:2977
This issue has been addressed in the following products: RHEL-8-CNV-4.8 Via RHSA-2021:3259 https://access.redhat.com/errata/RHSA-2021:3259
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:3262 https://access.redhat.com/errata/RHSA-2021:3262
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:3303 https://access.redhat.com/errata/RHSA-2021:3303
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759
This issue has been addressed in the following products: RHEL-8-CNV-4.9 Via RHSA-2021:4104 https://access.redhat.com/errata/RHSA-2021:4104
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:0283 https://access.redhat.com/errata/RHSA-2022:0283
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:0056 https://access.redhat.com/errata/RHSA-2022:0056
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577
This issue has been addressed in the following products: OpenShift Service Mesh 2.0 Via RHSA-2022:1276 https://access.redhat.com/errata/RHSA-2022:1276
This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2022:1679 https://access.redhat.com/errata/RHSA-2022:1679
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.11 Via RHSA-2022:6536 https://access.redhat.com/errata/RHSA-2022:6536
This issue has been addressed in the following products: AMQ Broker 7.10.1 Via RHSA-2022:6916 https://access.redhat.com/errata/RHSA-2022:6916
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days